ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamm_5.4.0.1/rzammsecurity.htm

161 lines
10 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Security considerations" />
<meta name="abstract" content="This topic provides information about iSeries Access for Web security considerations." />
<meta name="description" content="This topic provides information about iSeries Access for Web security considerations." />
<meta name="DC.Relation" scheme="URI" content="rzammplan.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammsso.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammbrowserconsid.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammcustpolicies.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammportroles.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurazhudigitalcertmngmnt.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2003, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2003, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzammsecurity" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Security considerations</title>
</head>
<body id="rzammsecurity"><a name="rzammsecurity"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Security considerations</h1>
<div><p>This topic provides information about iSeries™ Access for Web security considerations.</p>
<div class="section"><h4 class="sectiontitle">Authentication</h4><p>iSeries Access for Web needs to have
the user identity authenticated so that i5/OS™ resources are accessed with the correct
user profile. The methods of authenticating the user identity are different
for the Web application and the portal application.</p>
<dl><dt class="dlterm">Web application</dt>
<dd>The Web application can be configured to authenticate users or to allow WebSphere<sup>®</sup> to
authenticate users. <p>The Web application authenticates the user identity
with i5/OS using
a user profile and password. HTTP basic authentication is used to prompt for
a user profile and password. HTTP basic authentication encodes the user profile
and password, but does not encrypt them. To secure authentication information
during transmission, secure HTTP (HTTPS) should be used.</p>
<p>WebSphere authenticates
the user identity with the active user registry. WebSphere uses HTTP basic authentication
or form-based authentication to prompt for the user ID and password. HTTP
basic authentication encodes the user ID and password, but does not encrypt
them. Form-based authentication sends the user ID and password in clear text.
To secure authentication information during transmission, secure HTTP (HTTPS)
should be used.</p>
<p>Allowing WebSphere to authenticate the user
identity using form-based authentication enables the Web application to participate
in WebSphere single
sign-on (SSO) environments.</p>
<p>Once WebSphere has authenticated the user
identity, the Web application uses Enterprise Identity Mapping (EIM) to map
the authenticated WebSphere user identity to an i5/OS user identity.</p>
<p>For
information on iSeries Access
for Web and EIM, see the "Single sign-on considerations" topic. </p>
<p>For
information on WebSphere single
sign-on, see "Configure single sign-on" in the appropriate Information center
version. Links to WebSphere information centers are in the <a href="http://www.ibm.com/servers/eserver/iseries/software/websphere/wsappserver/" target="_blank"> IBM<sup>®</sup> WebSphere Application Server documentation</a>.</p>
</dd>
<dt class="dlterm">Portal application</dt>
<dd>The portal application relies on the portal server to authenticate the
user identity. <div class="p"><img src="./delta.gif" alt="Start of change" />Once the portal server has authenticated the
user identity, the iSeries Access portlets can be used. Each portlet
provides an option in edit mode for selecting the credential to use when accessing i5/OS resources.
Select one of these options:<dl><dt class="dlterm"><strong>Use credential specific to this portlet window</strong></dt>
<dd>An i5/OS user
profile and password are supplied for this portlet instance. This credential
cannot be used by other portal users or other portlet instances for the current
portal user.</dd>
<dt class="dlterm"><strong>Use credential set with iSeries Credentials portlet</strong></dt>
<dd>An i5/OS user
profile and password is selected from a list of credentials that were defined
using the iSeries Credentials
portlet. This credential can be used by other portlet instances for the current
portal user, but cannot be used by other portal users.</dd>
<dt class="dlterm"><strong>Use system shared credential set by administrator</strong></dt>
<dd>An i5/OS user
profile and password is selected from a list of credentials that were defined
by the portal administrator using the Credentials Vault administration function.
This credential can be used by all portal users.</dd>
<dt class="dlterm"><strong>Use authenticated WebSphere credential</strong></dt>
<dd>The authenticated portal environment user identity is mapped to an i5/OS user
identity using EIM. For information about iSeries Access for Web and EIM, see the
"Single sign-on considerations" topic. </dd>
</dl>
<img src="./deltaend.gif" alt="End of change" /></div>
<p>For information about how WebSphere Portal authenticates the
user identity, see <span class="menucascade"><span class="uicontrol">Securing your portal </span> &gt; <span class="uicontrol">Security Concepts</span> &gt; <span class="uicontrol">Authentication</span></span> in the <a href="http://publib.boulder.ibm.com/pvc/wp/502/smbi/en/InfoCenter/index.html" target="_blank"> WebSphere Portal Information Center</a>.</p>
</dd>
</dl>
</div>
<div class="section"><h4 class="sectiontitle">Restricting access to functions</h4><p>Users can be restricted
from accessing iSeries Access
for Web functions. Different methods of restricting access are used in the
Web application and the portal application.</p>
<p>For information on restricting
access to functions for the Web application, see the "Policies" topic. </p>
<p>For
information on restricting access to functions for the portal application,
see the "Portal roles" topic. </p>
</div>
<div class="section"><h4 class="sectiontitle">Object level security</h4><p>iSeries Access for Web uses object level
security when accessing i5/OS resources. Users will not be able to access i5/OS resources
if their i5/OS user
profile does not have the proper authority.</p>
</div>
<div class="section"><h4 class="sectiontitle">Secure HTTP (HTTPS)</h4><p>You can configure the iSeries server
to use a security protocol, called Secure Sockets Layer (SSL), for data encryption
and client/server authentication. For information about SSL, HTTPS, and digital
certificates, see the following:</p>
<ul><li>Security and SSL information in the <a href="http://www.ibm.com/eserver/iseries/software/http/docs/doc.htm" target="_blank">HTTP server documentation</a> <img src="www.gif" alt="Link outside Information Center" />.</li>
<li>Security and SSL information in the <a href="http://www.ibm.com/servers/eserver/iseries/software/websphere/wsappserver/docs/doc.htm" target="_blank">WebSphere Application Server documentation</a> <img src="www.gif" alt="Link outside Information Center" />.</li>
<li>Securing your portal in the <a href="http://publib.boulder.ibm.com/pvc/wp/502/smbi/en/InfoCenter/index.html" target="_blank">WebSphere Portal information center</a><img src="www.gif" alt="Link outside Information Center" />.</li>
<li><img src="./delta.gif" alt="Start of change" />Using digital certificates and the SSL to enable secure communications
for many applications in the <a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">Digital Certificate Manager (DCM)</a> topic. <img src="./deltaend.gif" alt="End of change" /></li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">Exit programs</h4><p>iSeries Access for Web makes extensive
use of the following Host Servers:</p>
<ul><li>Signon</li>
<li>Central</li>
<li>Remote Command/Program Call</li>
<li>Database</li>
<li>File</li>
<li>Network Print</li>
</ul>
<p>Exit programs that restrict access to these servers, especially Remote
Command/Program Call, will cause all or portions of iSeries Access for Web to not function.</p>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzammsso.htm">Single sign-on considerations</a></strong><br />
Learn about considerations associated with using single sign-on in a Web application server environment.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzammplan.htm" title="This topic contains conceptual information, considerations you need to be aware of, and checklists to help you get ready to use iSeries Access for Web.">Plan for iSeries Access for Web</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzammbrowserconsid.htm">Browser considerations</a></div>
<div><a href="rzammcustpolicies.htm" title="The Customize Policies function controls access to iSeries Access for Web functions. Individual policy settings can be administered at the iSeries user and group profile level.">Policies</a></div>
<div><a href="rzammportroles.htm" title="Understand the WebSphere Portal role assignments used by iSeries Access portlets.">Portal roles</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzahu/rzahurazhudigitalcertmngmnt.htm" target="_blank">Digital Certificate Manager (DCM)</a></div>
</div>
</div>
</body>
</html>